Electronic health information and privacy

April 25, 2012

2 Medicaid Data Breaches, 1 Weak Link: Employees

For the second time in less than a month, there has been a major data security breach at a state Medicaid agency.

The South Carolina Department of Health and Human Services (SCDHHS) discovered on April 10 that an employee of the state's Medicaid program had transferred personal information of 228,435 Medicaid beneficiaries to his personal email account.

The compromised records had patient names, phone numbers, addresses, birth dates, and Medicaid ID numbers, but no private medical records or financial information. In 22,604 cases, the records included Medicare numbers that contained Social Security numbers.

After the department detected the transfers, it contacted the state law enforcement agency.

The employee was terminated, and the affected individuals were notified of the security breach.

The risk of this type of transfer of confidential information by employees is increasing because many organizations are using Web browsers as the primary platform for viewing information, Bill Morrow, a security expert and CEO of Quarri Technologies, told InformationWeek Healthcare.

The best way to prevent employees from using browsers to replicate confidential information, Morrow said, is to deploy what he calls "hardened browsers," which are available from several vendors

The key to using a hardened browser, he added, is to strike an appropriate balance between employees' need to use data and a security policy that prevents unauthorized movement of confidential information.